System + Organization Controls (SOC) Reports

SOC Reports are designed to build trust and confidence in service delivery processes and controls through a report by an independent certified public accountant.


Adding Value to

Service Organizations and User Entities

Service organizations that provide information system services or process transactions on behalf of another party (the “user entity”) increasingly require SOC reports to do business.

SOC reports were initially requested primarily to satisfy financial statement audit requirements, but are now required to support regulatory compliance, address third party risk management, understand the status of cybersecurity controls and to satisfy stakeholders’ demand for transparency.

Service organizations benefit from SOC examination by
+ Alleviating the need for multiple requests for audits;
+ Limiting time spent responding to vendor questionnaires;
+ Building trust and confidence with user entities;
+ Analyzing the efficiency and effectiveness of their control processes, and
+ Differentiating from their peers.


Types of

SOC Reports

The various forms of SOC report are designed to support your specific business goals and user needs.


SOC 1 reports look at internal controls over financial reporting and are restricted-use reports. We offer both SOC 1 Type 1 and Type 2 services.

Type 1– report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

While generally a restricted report, SOC 2 (both Type 1 and Type 2) evaluate system reliability controls related to compliance or operations.

A SOC 2+ takes into consideration additional subject matter in order to assess SOC 2 compliance and simultaneously compliance with other privacy regulations and standards.

The SOC 3 is a trust service report, and is available for general use, with a public seal. It assesses system reliability controls related to compliance or operations.

The Cybersecurity SOC is also appropriate for general use, and the process involves looking at the entity’s cybersecurity risk management program. Type 1 and 2 are offered.


Trust Services

Principles + Criteria

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are used to evaluate the controls within an entity's cyber risk management program, or for SOC 2® and SOC 3® engagements.


Security –

The system is protected against unauthorized access


Availability –

The system is available for operation and use as committed or agreed


Process Integrity –

System processing is complete, accurate, timely, and authorized


Confidentiality –

Information designated as confidential is protected as committed or agreed


Privacy –

Personal information obtained as a result of ecommerce is collected, used, disclosed, and retained as committed or agreed


SOC Report

Engagement Process

Our four-phase process for conducting SOC engagements is designed for engagement efficiency and thoroughness but adaptable to your timeline and operations.


In this phase, we confirm scope and objectives. For new clients, we will spend time taking a deeper dive into understanding your systems and operations. For existing clients, we will evaluate any significant changes (e.g., addition of a Trust Services Principal, new system, change in third party service provider, etc.)


Once we have confirmed the scope, we create a more detailed timeline, share our client assistance requirements, and communicate our plan to our client.


Our fieldwork is performed through both interim and period-end testing. With our deep industry knowledge and planning leading up to fieldwork, we limit the impact of our work on your personnel.

Wrap-Up and Reporting

Once our fieldwork has concluded, we prepare the Management Rep Letter, go through our Quality Review process, issue your final report, and hold a closing meeting.


Hot Topics

Know What’s Happening

Watch our webinar to get up-to-date on the latest GAAP accounting and auditing developments impacting the insurance industry, including best practices for implementing the credit loss standard, changes to audit requirements related to auditing the loss reserve estimate, and changes […]

Delve into the latest auditing standard updates regarding estimates and the use of specialists. During this webinar, our panel discusses Statements on Auditing Standards (SAS) 143 and 144, their impact on auditing insurance company loss reserves, and the use of […]




We proudly add value to our clients by specializing in providing these services to your industry, working with various entities similar in operations, size, or areas of opportunity.


Insurance entities face regulations as well as IT and business risks. In such an environment, independent verification of your operational processes and security procedures is no longer nice to have, but a requirement to do business. The Johnson Lambert team works with insurance entities day-in and day-out, and this experience along with our integrated team of financial/operational and IT auditors’ credentials and training translate to a streamlined approach focused on the right areas for your organization.


If part of your nonprofit’s or related entity’s services or offerings include software as a service, access to sensitive data, a SOC report may benefit your organization in better illustrating the strength of your internal controls. Johnson Lambert has a team of both IT and financial/operational auditors who bring together their skills, credentials, and commitment to continuous learning with extensive experience in the nonprofit space.


We Are Here to Support Your Specific Business Goals and User Needs.

Get started today.